1. Field of the Invention
The present invention relates to authentication or credentials for access control of protected resources, and more particularly to the use of credentials or authentication granted by one system as a basis for granting credentials or authentication on another system.
2. Description of the Related Art
As known in the art, it is possible to have session credentials to control or limit access to protected resources. In a networked system, this technique is commonly used when a client computer attempts to gain access to protected resources that are held or accessible through a server. These credentials or authentication are typically granted to the client for the duration of a session. The session may be defined by the length of time that a browser application on the client computer is open, or it may be defined by the shorter of a specific period of time, and the length of time that the browser application is open. A session may also last for a longer time than the browser application is open.
Once the session is over, the credential or authentication is no longer valid and the client user must re-establish their credentials or authentication in order for them to again have access to the protected resources of the server.
A problem arises when the client wants access to protected resources on different servers of a system during the same session. Without some mechanism for sharing of credentials or authentication between the servers, the client user must establish credentials with each server. To overcome this problem, single sign-on systems have been developed. While these single sign-on systems eliminate most or all of the necessity for a client user to authenticate on each system, they do not readily scale or bridge across different systems. One technique for bridging across different systems is to have a shared vault for authentication or credentials that is available to both systems. However, this approach requires a great deal of coordination between the systems, and necessarily requires some cross-system access.
Another approach is to have some form of shared secret keys or set of public keys used by the two systems, which allows one system to prove its' identity to the other by encrypting or signing a request and passing it through the client browser to the second system (typically this is done through a “cooked URL” or CURL.)
What is needed is a method and system to support cross-system authentication and credentialing, while maintaining the advantages of single system authentication and credentialing.